Requirements for IPv6 Firewalls
Seth Mos
seth.mos at dds.nl
Fri Apr 18 05:16:51 UTC 2014
Op 17 apr. 2014, om 20:50 heeft William Herrin <bill at herrin.us> het volgende geschreven:
> On Thu, Apr 17, 2014 at 2:32 PM, Eugeniu Patrascu <eugen at imacandi.net> wrote:
>> It's a bigger risk to think that NAT somehow magically protects you against
>> stuff on the Internet.
>
> You are entitled to your opinion and you are entitled to run your
> network in accordance with your opinion.
>
> To vendors who would sell me product, I would respectfully suggest
> that attempts to forcefully educate me as to what I *should want*
> offers neither a short nor particularly successful path to closing a
> sale.
Having deployed IPv6 at the internet point and halfway into the company I work for I can tell you that I am *really* glad that I can now see what a firewall rule does properly instead of also having to peer at the NAT table which is 1:1 or a port forward etc. Also, when IPv4 NAT and rules don’t match up, hilarity ensues.
It greatly improves my workflow, it’s just become a whole lot easier for me.
NAT66 definitely has a place, and I’m a huge proponent for it so the small SMB people and home users so they can do Multi Wan without BGP. The part that isn’t solved yet by the IETF, but at least there is a really good RFC for NPt.
In my experience it improves security because of the transparency.
For anything resembling > 100 people, get a ASN, PI and BGP. You’ll thank me later, unlikely to have to renumber anything(1).
Kind regards,
Seth
(1) Yeah I know, unless you grow from a /48 to a /32
>
> Regards,
> Bill Herrin
>
>
> --
> William D. Herrin ................ herrin at dirtside.com bill at herrin.us09o
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>
More information about the NANOG
mailing list